Women in Cybersecurity Report

According to data from the 2017 Global Information Security Workforce Study (GISWS), women comprise only 11% of the information security workforce – a number that has remained steady since 2013. The study also found that women in cybersecurity have higher levels of education than men, but fewer hold senior-level positions, and they earn less money.

This is a topic near and dear to most of us. It's really hard to get women into the industry and make it appealing for them. It is such an exciting field and I feel that it is not an opportuity that is really advertised for women. We all have to be ready to advocate for this industry and willing to educate if not mentor younger women into the industry. We can shepard in this change and shift but we have to deliver a positive message about it.

In terms of us not earning as much, I personally feel this is a very touchy subject. Women are often looked at as not as smart as their male counterparts or not as worthy because we have babies and go on maternity leave or a host of other reasons. There is a lot at play in this arena and much of what goes into the earnings differences is not based on skills but perception. How do we change perception?

Interesting topic to discuss and debate about. The divide is clear and gender gap is huge, more so in India. I often see preference given to men candidates over women even if she is more qualified, or more suitable for the position, and this is at all levels - entry level to mid-management & senior management. I think just like other fields for example Banking , Medicine or Education (considered acceptable and safe jobs for women in India even today), infosec will need time to accept women staff as equals.

Women not being paid as much is a real thing, but I always encourage women to ask for more. I’m in the US, so my advice is US-based.

We have a tendency to not haggle for a job; we don’t apply because we don’t meet most of the requirements; we want to be recognized for our accomplishments rather than push for the recognition.

That needs to change. I have had many jobs where unless I ask for more money, I don’t get it. When I ask and I can show why, I have not been turned down. I keep track of my accomplishments and ensure they are being seen and not brushed under the rug. I make sure that my goals are always pushing me forward. I mentor and champion others and it helps them and proves that I can train my replacements and that I’m building the company.

Women, security is a man’s world. We bring a fantastic perspective to the table and are able to do this job just like them or better.

But.

Mentor. Get mentored.

Pull up other women.

Show your value, don’t want for others to notice.

Prove yourself - know how the business works.

Network. Don’t bury yourself. It’s easy to try to prove yourself by being that superstar-never-go-home woman. I suggest trying to get with male peers and go out. Talk. Join the football pool. Do not forget your soft skills.

ASK. Want that raise or promotion or better starting salary or benefits? Ask for them.

Fortunately, I work with a lot of women in my organisation in the security field, where they are valued and they work side by side. There is no bias, they can become inventors or Distinguished Engineers, just as well as a man. There are equal opportunities and it is actively encouraged every day.

Another issue is getting back in to the work place. There are many women who take time off for various reasons. In my case, I decided to take time off for education. Now I am in the process of reentering the market place, which hasn't been easy. Things may have changed since my last engineering job, but my expierences with the last few positions I held were positive and twofold.

First, the fellows I worked with were all easy going and gender never really was an issue as far as the job was concerned. They seemed to respect that I wasn't particularly into "being one of the guys" or being buddies. Keeping the work relationship, professional, cordial, and pleasant worked well for me. They key was not to waver.

Second, on the rare occassion where a fellow(s) did underestimate me, or made my gender an issue, I found this to be to my advantage. In those cases, I kept my nose to the grind by taking on the more complicated and less desirable products and cases. In the long run this strategy paid off as I generally came out ahead of the guys in recognition, pay, and promotion.

Now, with that said, overall I think overall technology in nearly every area is progressing so quickly that my hope is eventually every person, regardless of gender, will be needed to keep up with the pace. It will be interesting to watch how opportunities for women continue to evolve.

good article and very good subject .i think these co operate and working in cyber security field for women it depend on their place too bcoz in somewhere like US they can very easy get grow up in this field and find any opportunity they want and the road is open for them but in many other place maybe women can not and their living in limited place and they just lost their motivate and self confidence for this "they can be any one they can do any thing and they can done whatever they have dream about it " i think the women working in this field have to write a lot about this subject and share in whole world and make free webinars and podcasts and anything to help women in the world to get their own self confidence and get motivate and get back to world and working in this field bcoz i think they can be very successful bcoz they have some specialty like great focusing in problems .

If the levels of women working in cyber were to double, the skills gap would be filled. This warrants effort to understand why levels are so low. When I started looking into this with our workforce study over 10 years ago; I believed we were well on our way to resolution. At the time levels of women were 11% and everybody was starting initiatives aimed at attracting women-however the levels remain unchanged today and in Europe they are lower at 7%!

The themes discussed then remain the same as today– that we need to create a better, more broadly appealing image of the profession known to be geeky and highly technical, and we need to address inequalities. These are all true but may not speak to the heart of the issue.

The reasons for the lack of progress are not always gender specific – there are a lot of barriers to newcomers in general; we have seen a declining participation in the under 29s.

And they are not always obvious. Culturally most work in an environment that was established by men, and is still very male in terms of styles of communication; structure, management, negotiation, etc. Women wherever they are, are likely to report to men and/or be the minority in a team dominated by men; but do not necessarily work in the same way as men, or understand how to effectively be heard. Any one in a minority would find themselves putting extra energy into understanding how to fit into this team of ‘others.’ Perhaps the solution lies in proactively tackling the less tangible, which can be as simple as helping women come together and network, so they can recognize and acknowledge such influences and gain confidence in being themselves.

Interesting comments: Within my organisation - IBM, we encourage actively women in the security career pathway and leadership roles, in fact I know many women who come from the undergraduate program and are now working as leaders for various security service groups. This is the normal behaviour, perhaps it is not the norm, but it is definitely encouraged within this organisation on a day to day basis. I have linked younger graduates with such people, so that they can speak directly to these women, to obtain active guidance to them, whilst they are still making up their minds as to go down the security career pathway. Perhaps one answer is to seek out organisations, which promotes diversity and women in the workplace as part of their inherent culture?

sounds like a brilliant example of best practice from IBM. Would be good to learn from others about what they are doing either as individuals or team leaders around this issue. I am guessing it is a little challenging for those working in smaller organisations.

We have to stay in this for the long haul. This will take generational change. During my research for a paper for college, I found substantial proof that lack of motivation and confidence in math and science (STEM) classes in girls as young as grade school will cause them to be less confident in future STEM classes. This ultimately leads to many women dropping out of CS/ Engineering majors in college, or early in their careers. It actually starts in grade school. We need to ensure that girls and boys are encouraged equally throughout their development and educational careers from the beginning, to excel at whatever they choose; not get stuck in stereotypes ( girls = dolls and boys = legos).

I would strongly recommend Female Programmers and Penetration Testers to freelance if necessary, if being discriminated against for certain; therefor, you will not let anyone discriminate against your pay. Possibly start your own business. This is the pros of this skill, you can always make your own side money or work full time while freelancing on the side. However, experience and skillset to play a role as well, having a higher education is great but you never know if that person who does not have a, "PhD" on paper is reading several brooks or perfecting their craft on the side. I decided to just get my Bachelors in CS so I can focus majority of my time on penetration testing and coding. Renting books from the library is what I do monthly.

Diversity within cyber security should be required and today stories like the one below indicate that progress is moving slowly. Women must continue to voice their concerns openly regarding how we mitigate and strategize daily. The RSA Conference keynote speaker selection is an example that our voices and perspectives need to be heard.

Interesting article. I wonder if she asked to speak or if she was invited? Do we ask to speak or wait to be invited?

There are no easy answers... only perseverance. Don't get discouraged. Stay positive. Have a good support network. Pick your battles. Be strategic. Be courageous. Most of all, be yourself. In at least two jobs I beat the bro's at their own game by taking on the tasks everyone avoided. Within a short time I was the subject matter expert in more than one area. You can own the field but it's a lot of work. Respect came my way because I didn't make a big deal about my accomplishments when it was clear, I was running circles around some of the team members. That's the point too - be a part of the team. Most folks don't know what to do with someone who sticks to business. Stay cool. Be kind. Remember, the job is a stepping stone to wherever you are trying to go in the long run.

Most women I have interacted with view security as highly demanding and prefer lesser demanding specializations. This points out to poor mentoring and lack of awareness. I encourage them by sharing experiences, sharing links to informative articles and at times include them in security training programmes. More emphasis should be paid on raising awareness and mentorship in order to bridge this gap. As ISC2 there is need to create special programmes to focus on attracting more women to security such as special discounts, training, special chapter events on women and mentoring of female students.

Thank you for the insight and suggestions. We are certainly working hard to raise awareness with the study. Mentoring works best at a grass roots level to cater to local nuances I find and I think there are chapters doing this in different parts of the world. Are you a member of an (ISC)2 chapter?

There was a show of hands at the ISC2 summit in 2013, in which the audience were asked to put up their hands if they were CISSP qualified, then put their hands down if they were under 40, an ethnic minority or a woman. The profession appears overwhelmingly male and middle aged. I suspect that there has been a historic self selection bias, which seems to occur in many professions; so the existing senior select people very similar to themselves in terms of background, education, experience, career path, gender etc. Clearly, the skills shortage means this will have to change, and as those in their 50s and 60s retire the workforce should become more diverse.

I know why this phenomenon exists, but the real question is what will the industry do to try and fix this? Cyber security is a knowledge profession that’s neglecting a very valuable human resource in women and minorities who can offer diverse perspectives in solving security-related problems.

I'm coming into this discussion late, but one obstacle is the sponsorship requirement for the CISSP.

Another factor: for some women, they will be offered jobs not in cybersecurity per se and will pursue those types of positions because of better pay.

Another factor: "Breaking in" to cyber security is interesting -- but if you are changing careers, most companies only want to hire very junior positions and want to underpay. The "gap" involved in the cyber workforce should also be analyzed in terms of compensation.

Interesting...I'm a DOD contractor although my jobs change fairly quickly, I frequently work in shops hovering around 50:50 woman to men. Personally, as a man I enjoy working in a diverse environment as it brings new thought and problem solving views to the table. I'm also a huge champion of equal pay for equal work, and often I am at odds with nefarious contracting companies who seem to specialize in wringing dollars out of salaries and into corporate coffers.

Hmmmm. I don't think I have *ever* seen that, in an explicitly technical orsecurity environment. (Are you accounting for contractor vs clerical positions?)

> Personally, as a> man I enjoy working in a diverse environment as it brings new thought and> problem solving views to the table.

Definitely.

> I'm also a huge champion of equal pay for> equal work, and often I am at odds with nefarious contracting companies who seem> to specialize in wringing dollars out of salaries and into corporate coffers.

I'm a contractor, and I see a good share of women in cybersecurity in the building I'm in right now! The government side is 4:7 woman to men right now. The contract side is a bit confusing as there are several small contracts floating around as well as several large ones. FWIW our CIO is a woman also.

We have many women where I work, who are at all levels of the organization. Several of the security managers are women and opportunities are offered in training and education equally to men and women. Our organization is also quite culturally diverse as well; many of my colleagues come from Europe, Asia and Africa.

I think this enables us to have a more vibrant and responsive stance with respect to all facets of security.

The organization I'm in has many women in the IA branch...in fact a woman leads the branch. I don't think the overall poor ratio in cyber is because of the folks in the trenches...we pretty much like working with a nice even ratio. I think the actual problem is usually upstairs. Why? I haven't a clue.

STEM is another issue. Many women start off in the "helping professions"; and they re discouraged from pursuing Science, Technology, Engineering, and Mathematics. However, if they can be encouraged to study STEM and also to apply Humanities to the mix, women can be superior security analysts as they can dynamically apply understanding to threats and motivations.

> billclancy (Contributor I) posted a new comment in Workforce Study on 08-14-2018

> I don't think the overall poor ratio in cyber is because of the> folks in the trenches...we pretty much like working with a nice even ratio. I> think the actual problem is usually upstairs. Why? I haven't a clue.

Haven't much of a clue either, but I can't argue with you.

I've sometimes had pushback from trench-level IT people, but I've had endlesstroubles getting management to hire a woman. I remember one nice, quiet womanwho definitely had the skills we needed: management wanted the loudmouthed(male) jerk who boasted a good game, but the skills didn't show on his resume. Ihad huge troubles at one place trying to get some not-terribly-technical taskstaken off an overworked division and given to some clerical staff. The statedposition was that, since it had to do with the product, it was "development," but Ithink the real objection was that the clerical staff were women. On another (allmale) team there were regular "after hours" meetings at a strip bar, a cache ofpr0n on the development server, and a signed poster of a stripper on the wall. Management was loath to let me hire a woman because "the boys" would be upset. When I went to hire one, and noted to the systems analyst that they might wantto take down the poster, not only did the poster disappear, but the pr0n directorywas deleted from the server, and they never had another after hours meeting atthe Cecil. (I didn't mention those: "the boys" did it themselves.)

(I should mention: the "community" seems to have a thing against women, or at least this topic. In my ongoing test of the "reply via email" function, this is the only reply that has been bounced by the system so far today :-)

(Aha! the pr0n filter strikes again. When I tried to post this manually, via the Website interface, it told me "You used a bad word, pr0n, in the body of your post. Please clean up the body before posting." Of course, in adding this explanation I had to change pr0n to pr0n.) (Oh, this is ridiculous. But you know what I mean ...)

Social Media

All contents of this site constitute the property of (ISC)², Inc. and may not be copied, reproduced or distributed without prior written permission. (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered certification marks of (ISC)², Inc.